Re: IE is allowing virii/trojans/spyware etc. to install without help

From: Richard Urban (richardurbanREMOVETHIS_at_hotmail.com)
Date: 07/13/04 

Date: Mon, 12 Jul 2004 23:44:54 -0400

Firewall, or not, once you click on a web link you have pretty much given
"permission" to whatever is on the other end of the link to pass through the
firewall.

All we can do is line up the bastards who create these things, back to
belly, and see how many of them can be taken out by a 30-06! 

-- 
Regards:
Richard Urban
aka  Crusty (-: Old B@stard :-)
"Morbius" <Morbius@discussions.microsoft.com> wrote in message 
news:D5278A7C-DA28-47C3-AA28-FD3D117E2235@microsoft.com...
> Just my personal experience...
>
> I'm certainly no PC or internet newbie.  And I've been online before there 
> was even a well-known "internet", using CompuServ in it's earliest days, 
> and BBS's before that.  I know how to avoide email virii, various scams, 
> and can spot a virus "hoax" a mile away.  I have a home network, behind a 
> firewall/router, and routinely run ZoneAlarm, Norton AV, AdAware, SpyBot 
> S&D, and have used various pop-up blockers, currently relying on the one 
> built into the Google Toolbar.
>
> In spite of all this, twice within the last month my system has been 
> compromized by my doing nothing more than clicking a web link on what 
> appeared to be trustworthy sites.  Just a couple days prior to the SCOB 
> scare, I was surfing around looking for info on digital cameras.  After 
> clicking some link, suddenly the screen began filling with popups (in 
> spite of the Google popup blocker), and then the system froze.  Upon 
> rebooting, I found my desktop wallpaper had been replaced by an active 
> desktop page to a "security" software site, and the CPU was pegged at near 
> 100%.  After about 9 hours, and multiple passes with various tools, I 
> found I that along with the desktop hijack, I had been infected with 
> Backdoor.Jeem, several adware programs, and the nefarious CoolWebSearch. 
> I lost a whole day tracking down and removing all traces of this.
>
> This Sunday, an identical episode occurred...searching Google for info on 
> injector razors.  One of the links I clicked on took me to another site 
> that had some "consolidated" links regarding my search.  About the 5th 
> link I clicked on there suddenly put a couple of popups on the screen, and 
> one looked like a normal permissions screen, asking if I wanted to install 
> something-or-other from "Slotch.Com".  Of course I didn't...but I paused 
> for a minute to look over that window, as it didn't look quite right.  The 
> layout of the "Yes" and "No" buttons, and a couple other things, didn't 
> appear genuine.  I actually felt that clicking anywhere on that window was 
> a bad idea, so I just closed down all browser windows.  I also shut down 
> the system, and then I decided that considering my experience from a 
> couple weeks earlier, I better check things out thoroughly.
>
> I unplugged the network cable, and booted to safe mode.  First I ran 
> CWShredder, which found 4 instances installed.  I then ran Spybot S&D, 
> which found 40 suspicious files/entries, and deleted those.  Then I ran 
> Norton AV, which found 57 bad hits.  It was only able to delete 37 of 
> them, so I had to manually right down the name and location of each 
> file/registry entry and attempt to get rid of them.  After working through 
> all this, I reconnected to the network and booted up normally.  During the 
> course of this, I also discovered that two programs called PowerScan and 
> Sidebar T-Search, or something like that, had been installed, and as 
> neither had any uninstall or entry in Add/Remove programs, I had to 
> manually get rid of those.
>
> I wanted to go to the Symantic site and see what other info might be 
> available for some of the things it found.  After booting up, I decided to 
> use Mozilla Firefox to go to the site, as I had installed that after the 
> previous problem, and thought I might be a little safer till I was sure 
> the machine was clean.  But when I clicked on the Firefox desktop icon, it 
> couldn't find the program...sure enough, the entire Firefox folder and 
> install was gone.  Sneaky move on the spyware's part!  I still had the 
> Firefox install package on the system, so I reinstalled, and went out to 
> the Symantec site.  I went to a couple more site with Firefox and then 
> shut the system down.
>
> I started it up a little later, and once again, clicking on the Firefox 
> icon said it couldn't locate the program...and again, the entire folder 
> and install was gone.  So something was still on the system, and deleting 
> Firefox apparently at will.  I ran HiJack This! and noticed a new BHO 
> listing that pointed to a DLL I hadn't seen before, something like 
> bvm202.dll.  I went and looked at the properties of that DLL, and it had 
> been created that day, at the same time all the problems started.  So I 
> booted to safe mode again, deleted the DLL, and deleted all references to 
> in from the Registry.  Reinstalled Firefox again, and now it seems to be 
> staying, so I'm not sure if that was the problem or not.
>
> In any event, I probably lost almost 20 hours of time over the two 
> incidents.  I'm still not 100% confident of the machine's status at this 
> point.  Numerous bad things got installed in each instance, and with me 
> doing no more than clicking a web link...in both cases, I did not attempt 
> to download or install anything, I did not give permission for 
> installation, and I had firewalls and AV products active at the time, 
> along with "supposed" popup blockers, and I was not doing or visiting 
> anything "shady" that I shouldn't have been.  Yet all of this did nothing 
> to stop these incidents from occurring.
>
> Point is, IE is simply allowing way to much damage to occurr with little 
> or no action on the end-users part.  It should never allow something to be 
> installed on my system without my explicit permission.  I do not 
> understand how this has happened, as I didn't think it was even possible 
> for things like this to occurr without me doing SOMETHING to initiate it. 
> If clicking on a web link is all it takes, then quite clearly the IE 
> browser is useless.
>
> So now I'm back to using Firefox.  We'll see how this goes.  In any event, 
> MS needs to completely redesign it's security model for this thing, as 
> right now I wouldn't trust it to go to MS's own website.